From ff69d42fd57e64112af50b15ed03526a205b0f98 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 13:29:17 -0400 Subject: [PATCH 01/12] Initial commit of rule for issue 5524 --- .../sshd_disable_x11_forwarding/rule.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml new file mode 100644 index 0000000000..c0c01728e9 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -0,0 +1,46 @@ +documentation_complete: true + +title: 'Disable X11 Forwarding' + +description: |- + The X11Forwarding parameter provides the ability to tunnel X11 traffic + through the connection to enable remote graphic connections. + SSH has the capability to encrypt remote X11 connections when SSH's + X11Forwarding option is enabled. +

+ To disable X11 Forwarding, add or correct the + following line in /etc/ssh/sshd_config: + 
X11Forwarding no
+ +rationale: |- + Disable X11 forwarding unless there is an operational requirement to use X11 + applications directly. There is a small risk that the remote X11 servers of + users who are logged in via SSH with X11 forwarding could be compromised by + other users on the X11 server. Note that even if X11 forwarding is disabled, + users can always install their own forwarders. + +severity: low + +references: + cui: 3.1.13 + disa: "366" + nist: CM-6(a),AC-17(a),AC-17(2) + nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: "040710" + stigid@sle12: "030260" + isa-62443-2013: 'SR 7.6' + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01 + iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9 + +{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} + +template: + name: sshd_lineinfile + vars: + missing_parameter_pass: 'false' + parameter: X11Forwarding + rule_id: sshd_disable_x11_forwarding + value: 'no' From f1bc29396cf2953fb4cb9cb17d6b8537f7be22f1 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 13:34:02 -0400 Subject: [PATCH 02/12] Haven't found references except for Solaris 11. Remove reference section --- .../sshd_disable_x11_forwarding/rule.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index c0c01728e9..66872d01ab 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -21,20 +21,6 @@ rationale: |- severity: low -references: - cui: 3.1.13 - disa: "366" - nist: CM-6(a),AC-17(a),AC-17(2) - nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 - srg: SRG-OS-000480-GPOS-00227 - stigid@rhel7: "040710" - stigid@sle12: "030260" - isa-62443-2013: 'SR 7.6' - isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 - cobit5: BAI03.08,BAI07.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS03.01 - iso27001-2013: A.12.1.1,A.12.1.2,A.12.1.4,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.14.2.2,A.14.2.3,A.14.2.4 - cis-csc: 1,11,12,13,15,16,18,20,3,4,6,9 - {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} template: From fb105b63c1ae36f309ede1831b8bae7a8d3ca4c7 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 13:56:05 -0400 Subject: [PATCH 03/12] Added CIS Reference --- .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 66872d01ab..88ed64c681 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -23,6 +23,9 @@ severity: low {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} +references: + cis@rhel8: 5.2.6 + template: name: sshd_lineinfile vars: From 93f1dd883c3bef0e0df0a0eab87a8eaa75134637 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 13:58:34 -0400 Subject: [PATCH 04/12] CIS RHEL 7 Benchmark Reference --- .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 88ed64c681..c56d498972 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -24,8 +24,9 @@ severity: low {{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} references: + cis@rhel7: 5.2.5 cis@rhel8: 5.2.6 - + template: name: sshd_lineinfile vars: From 96a51e5a2496c40aa28d9aace336ee75c26afdeb Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 14:09:25 -0400 Subject: [PATCH 05/12] MOre CIS References --- .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index c56d498972..92cdbc2151 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -26,6 +26,8 @@ severity: low references: cis@rhel7: 5.2.5 cis@rhel8: 5.2.6 + cis@sle12: 5.2.4 + cis@sle15: 5.2.6 template: name: sshd_lineinfile From da6fb541c8085d3f6a29f2569615201f3c88bda4 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 15:39:53 -0400 Subject: [PATCH 06/12] Modified per pull request comments. --- .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 92cdbc2151..bea57e74aa 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -21,7 +21,9 @@ rationale: |- severity: low -{{{ complete_ocil_entry_sshd_option(default="no", option="X11Forwarding", value="no") }}} +ocil_clause: "that the X11Forwarding option exists and is enabled" + +ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}' references: cis@rhel7: 5.2.5 @@ -32,7 +34,7 @@ references: template: name: sshd_lineinfile vars: - missing_parameter_pass: 'false' + missing_parameter_pass: 'true' parameter: X11Forwarding rule_id: sshd_disable_x11_forwarding value: 'no' From b0b3524c550d3007b33a2d3bdda7d8925dd2fe00 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 16:17:05 -0400 Subject: [PATCH 07/12] Modified per comment --- .../ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index bea57e74aa..14771fcc9a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -23,7 +23,8 @@ severity: low ocil_clause: "that the X11Forwarding option exists and is enabled" -ocil: '{{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}' +ocil: |- + {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} references: cis@rhel7: 5.2.5 From 84f97ae10eaf3c4118f8efa00d7d887ec44db150 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 16:24:28 -0400 Subject: [PATCH 08/12] Added check to RHEL7,8 CIS Profile per request --- rhel7/profiles/cis.profile | 3 ++- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index 739ed27200..ba413cb1d8 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -578,7 +578,8 @@ selections: - sshd_set_loglevel_info ### 5.2.4 Ensure SSH X11 forwarding is disabled (Scored) - + - sshd_disable_x11_forwarding + ### 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less (Scored) - sshd_set_max_auth_tries From 1618a15fb61c447770fd54e131c15445f765eabc Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Thu, 2 Apr 2020 20:16:53 -0400 Subject: [PATCH 09/12] Fixed OCIL Clause --- .../services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 14771fcc9a..09dd808e99 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -26,6 +26,7 @@ ocil_clause: "that the X11Forwarding option exists and is enabled" ocil: |- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} + references: cis@rhel7: 5.2.5 cis@rhel8: 5.2.6 From e593461ca7cc38b5125f4413c445c4f9e9261c4e Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Fri, 3 Apr 2020 10:49:57 -0400 Subject: [PATCH 10/12] Added OVAL and tests --- .../sshd_disable_x11_forwarding/oval/shared.xml | 1 + .../sshd_disable_x11_forwarding/tests/comment.pass.sh | 9 +++++++++ .../tests/correct_value.pass.sh | 9 +++++++++ .../tests/line_not_there.pass.sh | 5 +++++ .../tests/wrong_value.fail.sh | 9 +++++++++ 5 files changed, 33 insertions(+) create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml new file mode 100644 index 0000000000..88b4e756f5 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml @@ -0,0 +1 @@ +{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh new file mode 100644 index 0000000000..2b2e7869af --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/comment.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp + +if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then + sed -i "s/^X11Forwarding.*/# X11Forwarding no/" /etc/ssh/sshd_config +else + echo "# X11Forwarding no" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh new file mode 100644 index 0000000000..f8b1ed4685 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/correct_value.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp + +if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then + sed -i "s/^X11Forwarding.*/X11Forwarding no/" /etc/ssh/sshd_config +else + echo "X11Forwarding no" >> /etc/ssh/sshd_config +fi diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh new file mode 100644 index 0000000000..53a3d754b8 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/line_not_there.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp + +sed -i "/^X11Forwarding.*/d" /etc/ssh/sshd_config diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh new file mode 100644 index 0000000000..bbb09f62d0 --- /dev/null +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/tests/wrong_value.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# +# profiles = xccdf_org.ssgproject.content_profile_ospp + +if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then + sed -i "s/^X11Forwarding.*/X11Forwarding yes/" /etc/ssh/sshd_config +else + echo "X11Forwarding yes" >> /etc/ssh/sshd_config +fi From 192c1ee531a838c91db37108f49124295cc5cec3 Mon Sep 17 00:00:00 2001 From: eradot4027 Date: Fri, 3 Apr 2020 13:10:49 -0400 Subject: [PATCH 11/12] Removed OVAL in favor of template --- .../ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml deleted file mode 100644 index 88b4e756f5..0000000000 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +++ /dev/null @@ -1 +0,0 @@ -{{{ oval_sshd_config(parameter="X11Forwarding", value="no", missing_parameter_pass=true) }}}